EP3800570B1 - Methods and systems for genetic malware analysis and classification using code reuse patterns - Google Patents

Methods and systems for genetic malware analysis and classification using code reuse patterns Download PDF

Info

Publication number
EP3800570B1
EP3800570B1 EP20199874.7A EP20199874A EP3800570B1 EP 3800570 B1 EP3800570 B1 EP 3800570B1 EP 20199874 A EP20199874 A EP 20199874A EP 3800570 B1 EP3800570 B1 EP 3800570B1
Authority
EP
European Patent Office
Prior art keywords
code
target
genes
individually
instruction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP20199874.7A
Other languages
German (de)
French (fr)
Other versions
EP3800570C0 (en
EP3800570A1 (en
Inventor
Itai Tevet
Roy Halevi
Ari Eitan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Intezer Labs Ltd
Original Assignee
Intezer Labs Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intezer Labs Ltd filed Critical Intezer Labs Ltd
Publication of EP3800570A1 publication Critical patent/EP3800570A1/en
Application granted granted Critical
Publication of EP3800570C0 publication Critical patent/EP3800570C0/en
Publication of EP3800570B1 publication Critical patent/EP3800570B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/30003Arrangements for executing specific machine instructions
    • G06F9/30007Arrangements for executing specific machine instructions to perform operations on data operands
    • G06F9/3001Arithmetic instructions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/30003Arrangements for executing specific machine instructions
    • G06F9/30007Arrangements for executing specific machine instructions to perform operations on data operands
    • G06F9/30032Movement instructions, e.g. MOVE, SHIFT, ROTATE, SHUFFLE
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/30003Arrangements for executing specific machine instructions
    • G06F9/30076Arrangements for executing specific machine instructions to perform miscellaneous control operations, e.g. NOP
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • the present invention relates to methods and systems for genetic malware analysis and classification using code reuse patterns.
  • Terminating a process and deleting a file offers zero guarantees and solves no problems in the long term, unfortunately.
  • Standard solutions such as signature based (AV) and behavioral analysis tools (sandboxes, EDR) can be circumvented by threat actors reusing code and assets.
  • AV signature based
  • EDR behavioral analysis tools
  • US Patent Publication No. 2014/0068768 recites an apparatus for identifying related code variants may include processing circuitry configured to execute instructions for receiving query binary code, processing the query binary code to generate one or more query code fingerprints comprising compressed representations of respective functional components of the query binary code, comparing the one or more query code fingerprints to at least some reference code fingerprints stored in a database to determine a similarity measure between the one or more query code fingerprints and at least some of the reference code fingerprints, and preparing at least one report based on the similarity measure.
  • US Patent Publication No. 2015/0186649 recites systems and methods for generating and applying identification codes or "fingerprints" with respect to software functions contained in executable files. Utilizing such fingerprinting procedures, the function identification codes for known malicious files and/or known benign can be stored in the database. Subsequently, received files can be processed in the same manner and the function identification codes generated for the received files can be compared against the function identification codes for the known malicious files and/or known benign files in the database to determine a level of similarity between the functions of received executable files and those of known categorized executable files in the database.
  • US Patent Publication No. 2017/0344352 recites that in a dynamic computing environment, it is a nontrivial task to verify code running in the environment because most approaches to software similarity require extensive and time-consuming analysis of a binary, or the approaches fail to recognize executables that are similar but nonidentical.
  • a biosequence-based method for quantifying similarity of executable binaries is used to identify allowed codes in a real-world multi-user environment.
  • US Patent Publication No. 2009/0313700 recites a system and method for generating malware definitions for use in managing malware on a computer, including receipt of a binary file running in system memory; taking a memory dump of the binary file at a time slice and storing the memory dump in a memory dump file; applying a normalization process to the memory dump file, wherein the normalization process alters a collection of data from the memory dump file, resulting in a normalized file; applying a comparison process between the normalized file and each of a plurality of normalized files stored in a database of malware definitions wherein the comparison process produces a comparison value associated with each of the normalized files in the database of malware definitions; and inserting the normalized file into the database of malware definitions, when each of the comparison values satisfies a predetermined criterion.
  • US Patent Publication No. 2007/0240217 recites a system and method for detecting malware by modeling the behavior of malware and comparing a suspect executable with the model.
  • Feature elements are extracted from malware-infected applications, groups the feature elements into feature sets, and develops rules describing a malicious probability relationship between the feature elements.
  • exemplary is used herein to refer to examples of embodiments and/or implementations, and is not meant to necessarily convey a more-desirable use-case.
  • alternative and “alternatively” are used herein to refer to an example out of an assortment of contemplated embodiments and/or implementations, and is not meant to necessarily convey a more-desirable use-case. Therefore, it is understood from the above that “exemplary” and “alternative” may be applied herein to multiple embodiments and/or implementations. Various combinations of such alternative and/or exemplary embodiments are also contemplated herein.
  • Embodiments of the present invention utilize genetic malware analysis which is based on the evolutionary principle that all software, whether legitimate or malicious, is comprised of previously written code. Malware authors leverage code reuse when employing new campaigns. For defenders, this provides critical information for detection, classification, level of sophistication and threat actor capabilities.
  • Embodiments of the present invention exploit such aspects by generating a complete mapping of a suspicious file including information about which pieces of code have been seen only in a specific malware family, only in trusted software, or in both malicious and trusted software.
  • metadata such as who is the vendor who wrote the code, and which versions does the code appear in provide useful information and context regarding the granular assembly-code pieces.
  • knowing that a piece of code hasn't been seen before can also indicate the following. If a suspicious file includes a lot of unique code, it might be a sign of a new malware variant, and that might be used as a strong indicator for detecting sophisticated threats. In such cases, the organization's SOC (Security Operation Center) or IR (Incident Response) team knows to place their focus and resources on these pieces of code, in order to determine their meaning.
  • SOC Security Operation Center
  • IR Incident Response
  • Embodiments of the present invention enable security teams to reduce the number of files that need to be manually analyzed, enabling them to focus on the harmful, malicious files, prioritizing actual threats over false positives.
  • the ability to index specific malware targeting the organization into the genome database means security professionals can not only ensure immunity for a single incident, but immune the organization against an adversary entirely.
  • tracking code reuse in malware forces the attacker to rewrite their tools and assets, making it much harder to conduct cyber-attacks.
  • Embodiments of the present invention enable trusted code to be indexed as well. For example, if proprietary software has code that was never seen before in the genome database, the code can be indexed as trusted. Such code would be visible only to the software's owner.
  • Implementations of the present invention dissect any given executable file (e.g., from disk or memory) into tiny pieces of binary code, referred to as genes, and compare the file's genes to a code genome database containing billions of genes from trusted and malicious software.
  • executable file e.g., from disk or memory
  • genes tiny pieces of binary code
  • a method for genetic malware analysis and classification using code reuse patterns including the steps of: (a) upon receiving a target binary file, disassembling the target binary file into assembly code; (b) extracting individually-identifiable code fragments from the assembly code; (c) normalizing the individually-identifiable code fragments into target genes by: (i) grouping certain instructions in a given individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in the given individually-identifiable code fragment; and (ii) grouping certain individually-identifiable code fragments into a unique target gene, of the target genes, that forms at most exclusively only one function code for performing a command instruction; (d) collating the target genes into a code genome database; and (e) detecting all files and/or code families in the code genome database containing the target genes from the target binary file, wherein the step of detecting includes prioritizing that false-positive matches between the files and/or
  • the step of normalizing includes upon detecting a NOP instruction, corresponding to a command for no operation to be performed, removing the NOP instruction from the target genes.
  • the step of normalizing includes upon detecting a MOV instruction in a specific individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein the MOV instruction is listed in the specific individually-identifiable code fragment before a CALL instruction, normalizing the MOV instruction to a PUSH instruction in the target genes.
  • the MOV instruction is normalized to the PUSH regardless of whether the MOV instruction and the CALL instruction are consecutive instructions.
  • the step of normalizing includes upon detecting a SUB instruction, corresponding to a command for a subtraction operation to be performed, normalizing the SUB instruction to an ADD instruction, corresponding to a command for an addition operation to be performed, in the target genes.
  • the method further includes the step of: (f) determining an accurate designation of the target binary file based on the target genes.
  • the accurate designation of the target binary file is: (i) malicious based on shared genes in the target genes and the code genome database only found in malicious files; or (ii) benign based on shared genes in the target genes and the code genome database only found in trusted files.
  • the step of determining includes determining the target binary file is associated with at least one malware file family based on families of files that the target binary file shares shared genes with.
  • the step of normalizing includes normalizing multiple code instructions into a single code instruction.
  • a system for genetic malware analysis and classification using code reuse patterns including: (a) a CPU for performing computational operations; (b) a memory module for storing data; and (c) a disassembly module configured for, upon receiving a target binary file, disassembling the target binary file into assembly code; (d) an extracting module configured for extracting individually-identifiable code fragments from the assembly code; (e) a normalizing module configured for normalizing the individually-identifiable code fragments into target genes by: (i) grouping certain instructions in a given individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in the given individually-identifiable code fragment; and (ii) grouping certain individually-identifiable code fragments into a unique target gene, of the target genes, that forms at most exclusively only one function code for performing a command instruction; (f) a collating module configured for collating the target genes into a code genome database;
  • the normalizing includes upon detecting a NOP instruction, corresponding to a command for no operation to be performed, removing the NOP instruction from the target genes.
  • the normalizing includes upon detecting a MOV instruction in a specific individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein the MOV instruction is listed in the specific individually-identifiable code fragment before a CALL instruction, normalizing the MOV instruction to a PUSH instruction in the target genes.
  • the MOV instruction is normalized to the PUSH regardless of whether the MOV instruction and the CALL instruction are consecutive instructions.
  • the normalizing includes upon detecting a SUB instruction, corresponding to a command for a subtraction operation to be performed, normalizing the SUB instruction to an ADD instruction, corresponding to a command for an addition operation to be performed, in the target genes.
  • system further including: (h) a determining module configured for determining an accurate designation of the target binary file based on the target genes.
  • the accurate designation of the target binary file is: (i) malicious based on shared genes in the target genes and the code genome database only found in malicious files; or (ii) benign based on shared genes in the target genes and the code genome database only found in trusted files.
  • the determining includes determining the target binary file is associated with at least one malware file family based on families of files that the target binary file shares shared genes with.
  • the normalizing includes normalizing multiple code instructions into a single code instruction.
  • a non-transitory computer-readable storage medium having computer-readable code embodied on the non-transitory computer-readable storage medium, for genetic malware analysis and classification using code reuse patterns
  • the computer-readable code including: (a) program code for, upon receiving a target binary file, disassembling the target binary file into assembly code; (b) program code for extracting individually-identifiable code fragments from the assembly code; (c) program code for normalizing the individually-identifiable code fragments into target genes by: (i) grouping certain instructions in a given individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in the given individually-identifiable code fragment; and (ii) grouping certain individually-identifiable code fragments into a unique target gene, of the target genes, that forms at most exclusively only one function code for performing a command instruction; (d) program code for collating the target genes into a code genome database; and (e) program code for detecting
  • the normalizing includes upon detecting a NOP instruction, corresponding to a command for no operation to be performed, removing the NOP instruction from the target genes.
  • the normalizing includes upon detecting a MOV instruction in a specific individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein the MOV instruction is listed in the specific individually-identifiable code fragment before a CALL instruction, normalizing the MOV instruction to a PUSH instruction in the target genes.
  • the MOV instruction is normalized to the PUSH regardless of whether the MOV instruction and the CALL instruction are consecutive instructions.
  • the normalizing includes upon detecting a SUB instruction, corresponding to a command for a subtraction operation to be performed, normalizing the SUB instruction to an ADD instruction, corresponding to a command for an addition operation to be performed, in the target genes.
  • the computer-readable code further includes: (f) program code for determining an accurate designation of the target binary file based on the target genes.
  • the accurate designation of the target binary file is: (i) malicious based on shared genes in the target genes and the code genome database only found in malicious files; or (ii) benign based on shared genes in the target genes and the code genome database only found in trusted files.
  • the determining includes determining the target binary file is associated with at least one malware file family based on families of files that the target binary file shares shared genes with.
  • the normalizing includes normalizing multiple code instructions into a single code instruction.
  • the present invention relates to methods and systems for genetic malware analysis and classification using code reuse patterns.
  • the principles and operation for providing such methods and systems, according to the present invention may be better understood with reference to the accompanying description and the drawings.
  • Figure 1A is a simplified flowchart of the major process steps for the gene extraction process, according to embodiments of the present invention.
  • the process starts with activation of the gene extraction process upon accessing a target binary file (Step 2 ).
  • the binary file is then disassembled into assembly code (Step 4 ).
  • Individually identified code fragments are extracted from the assembly code (Step 6 ).
  • a normalization process is then performed to produce the genes of assembly code (Step 8 ).
  • the genes are finally collated in a code genome database (Step 10 ).
  • the normalization process involves two grouping sub-steps.
  • the first such sub-step involves grouping certain instructions in a given individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in the given individually-identifiable code fragment.
  • the second such sub-step involves grouping certain individually-identifiable code fragments into a unique target gene, of the target genes, that forms at most exclusively only one function code for performing a command instruction.
  • the normalization process is based on rules that can support multiple architectures and instruction sets (e.g., x86, x64, ARM, and ARM64) under different operating systems (Windows, Linux, and Android), and even can be effective for non-native, intermediate languages (e.g., .NET, Java, Python, and Visual Basic).
  • multiple code instructions can be normalized into a single code instruction.
  • Different rules are employed depending on the platform of the target file (i.e., different rules employed for x86, x64, .NET, and Java).
  • the code of the target file may typically include an instruction for no operation to be performed (referred to as a NOP instruction).
  • NOP instruction an instruction for no operation to be performed
  • the system removes the instruction from the normalized code.
  • the code of the target file may typically include a MOV instruction to move values to a register before calling a function.
  • MOV instruction When such a MOV instruction is detected, the system normalizes the instruction to a PUSH instruction in the normalized code.
  • a CALL instruction will jump to the function code and execute it. Such considerations depend on the compilation flags during the process. In order to be flexible, the system detects the genes as identical, even though the assembly is different. In one configuration, in order to send values to a function, the stack is utilized with a PUSH command. In another configuration, a MOV command moves values to registers before calling a function. The system normalizes such MOV commands to PUSH commands.
  • Such normalization involves detecting a MOV instruction in a specific individually-identifiable code fragment, corresponding to a command to move values to a register.
  • the MOV instruction is listed in the specific individually-identifiable code fragment before a CALL instruction, the MOV instruction is normalized to a PUSH instruction in the target genes.
  • the system also supports situations in which the MOV and CALL commands are not consecutive instructions with additional instructions interspersed between them. In such a case, the MOV command will be normalized to a PUSH command even though the CALL command doesn't immediately follow the MOV command.
  • a SUB instruction i.e., a subtraction command
  • an ADD instruction i.e., an addition command
  • code reuse is "masked" by such trivial substitutions (i.e., replacing an ADD with a SUB).
  • FIG. 1B is a simplified flowchart of the major process steps for genetic malware analysis and classification, according to embodiments of the present invention.
  • the process starts when the code of the target binary file is broken into pieces (Step 20 ), which are then normalized into genes (Step 22 ).
  • a numeric token is generated for each gene (Step 24 ).
  • the numeric token is used to identify the gene in the code genome database (Step 26 ).
  • the gene can then be stored in the code genome database (Step 28 ), or used to detect all files and/or code families containing the target gene (Step 30 ).
  • the system can determine the accurate designation (e.g., malicious, trusted, or library) of the target file being analyzed based on the total classification of the file's genes (Step 32 ).
  • such detecting as in Step 30 involves prioritizing that false-positive matches between the files and/or the code families of the target binary file and the target genes are not detected.
  • false-positive matches are exemplified as genericized matches among the target genes which are not related to a shared origin source code.
  • FIG 2A is a simplified flowchart of the major process steps for determining whether a target file is benign or malicious based on code reuse, according to embodiments of the present invention.
  • the process starts with breaking the code of a target binary file into fragments, and normalizing the fragments into genes (Step 40 ).
  • the numeric tokens are then used to search the code genome database for shared genes (Step 42 ).
  • the target file is determined to be malicious if it contains shared genes that are only found in malicious files (Step 44 ).
  • the target file is determined to be benign if it contains shared genes that are only found in trusted files (Step 46 ).
  • FIG. 2B is a simplified flowchart of the major process steps for classifying a target file to a malware family based on code reuse, according to embodiments of the present invention.
  • the process similarly starts with breaking the code of a target binary file into fragments, and normalizing the fragments into genes (Step 50 ).
  • the numeric tokens are then used to search the code genome database for shared genes (Step 52 ).
  • the malware file family (or families) to which the target file belongs to is determined based on the families of files that the target file shares shared genes with (Step 54 ).

Description

    FIELD AND BACKGROUND OF THE INVENTION
  • The present invention relates to methods and systems for genetic malware analysis and classification using code reuse patterns.
  • Despite the rapid pace of technology in general, few industries today are as dynamic as that of cyber security. Attackers' techniques are constantly evolving, and along with them, the potential threat.
  • For security teams, the challenge remains not to keep up, but rather, to outpace them. It is a persistent struggle: a never-ending, record-setting marathon at a constant sprint. Even as security professionals rest, attackers are hard at work. The tools and approaches used must also adapt in order to stay a step ahead in defending their organizations. Malware classification, which encompasses both the identification and attribution of code, has the power to unlock many clues that aid security teams in achieving this.
  • Such clues provide a greater understanding of potential adversaries. Going beyond whether code is trustworthy or malicious offers a multifaceted view into attackers' mindsets and ultimately, their goals.
  • Yet many security teams stop their line of inquiry once they reach a conclusion about a given file. If the code is trustworthy, no action is required. If the code is malicious, it needs to be mitigated and eradicated as quickly as possible, with recovery of important files occurring in tandem.
  • Terminating a process and deleting a file offers zero guarantees and solves no problems in the long term, unfortunately. Today, it's critical (and until now, quite complicated) to both analyze threats as well as fully understand them after the initial breach in an automated way. This is the one way that attackers can be remotely 'interrogated,' enabling security teams to uncover the reasons behind their actions simply rather than remediating and remaining oblivious.
  • Standard solutions such as signature based (AV) and behavioral analysis tools (sandboxes, EDR) can be circumvented by threat actors reusing code and assets. Whether legitimate or malicious, nearly every software is composed of previously written code; the key to deeply understanding its nature and origins lies in discovering code that has appeared in previously known software. Reports on malware statistics indicate that there are around 350,000 new samples every day. Attackers reuse their code, composing it differently to create new samples with different hashes. The high number of new files has made it difficult to keep up with the pace.
  • In the prior art, US Patent Publication No. 2014/0068768 recites an apparatus for identifying related code variants may include processing circuitry configured to execute instructions for receiving query binary code, processing the query binary code to generate one or more query code fingerprints comprising compressed representations of respective functional components of the query binary code, comparing the one or more query code fingerprints to at least some reference code fingerprints stored in a database to determine a similarity measure between the one or more query code fingerprints and at least some of the reference code fingerprints, and preparing at least one report based on the similarity measure.
  • US Patent Publication No. 2015/0186649 recites systems and methods for generating and applying identification codes or "fingerprints" with respect to software functions contained in executable files. Utilizing such fingerprinting procedures, the function identification codes for known malicious files and/or known benign can be stored in the database. Subsequently, received files can be processed in the same manner and the function identification codes generated for the received files can be compared against the function identification codes for the known malicious files and/or known benign files in the database to determine a level of similarity between the functions of received executable files and those of known categorized executable files in the database.
  • US Patent Publication No. 2017/0344352 recites that in a dynamic computing environment, it is a nontrivial task to verify code running in the environment because most approaches to software similarity require extensive and time-consuming analysis of a binary, or the approaches fail to recognize executables that are similar but nonidentical. A biosequence-based method for quantifying similarity of executable binaries is used to identify allowed codes in a real-world multi-user environment.
  • US Patent Publication No. 2009/0313700 recites a system and method for generating malware definitions for use in managing malware on a computer, including receipt of a binary file running in system memory; taking a memory dump of the binary file at a time slice and storing the memory dump in a memory dump file; applying a normalization process to the memory dump file, wherein the normalization process alters a collection of data from the memory dump file, resulting in a normalized file; applying a comparison process between the normalized file and each of a plurality of normalized files stored in a database of malware definitions wherein the comparison process produces a comparison value associated with each of the normalized files in the database of malware definitions; and inserting the normalized file into the database of malware definitions, when each of the comparison values satisfies a predetermined criterion.
  • A publication by Rad entitled, "Metamorphic Virus Variants Classification Using Opcode Frequency Histogram," discloses, in order to prevent detection and evade signature-based scanning methods, which are normally exploited by antivirus softwares, metamorphic viruses use several various obfuscation approaches.
  • US Patent Publication No. 2007/0240217 recites a system and method for detecting malware by modeling the behavior of malware and comparing a suspect executable with the model. Feature elements are extracted from malware-infected applications, groups the feature elements into feature sets, and develops rules describing a malicious probability relationship between the feature elements.
  • It would be desirable to have methods and systems for genetic malware analysis and classification using code reuse patterns. Such methods and systems would, inter alia, overcome the various limitations mentioned above.
    • SUMMARY
  • It is the purpose of the present invention to provide methods and systems for genetic malware analysis and classification using code reuse patterns. The invention is as defined in the appended claims.
  • It is noted that the term "exemplary" is used herein to refer to examples of embodiments and/or implementations, and is not meant to necessarily convey a more-desirable use-case. Similarly, the terms "alternative" and "alternatively" are used herein to refer to an example out of an assortment of contemplated embodiments and/or implementations, and is not meant to necessarily convey a more-desirable use-case. Therefore, it is understood from the above that "exemplary" and "alternative" may be applied herein to multiple embodiments and/or implementations. Various combinations of such alternative and/or exemplary embodiments are also contemplated herein.
  • Embodiments of the present invention utilize genetic malware analysis which is based on the evolutionary principle that all software, whether legitimate or malicious, is comprised of previously written code. Malware authors leverage code reuse when employing new campaigns. For defenders, this provides critical information for detection, classification, level of sophistication and threat actor capabilities.
  • Embodiments of the present invention exploit such aspects by generating a complete mapping of a suspicious file including information about which pieces of code have been seen only in a specific malware family, only in trusted software, or in both malicious and trusted software. In addition, metadata such as who is the vendor who wrote the code, and which versions does the code appear in provide useful information and context regarding the granular assembly-code pieces.
  • Moreover, knowing that a piece of code hasn't been seen before, can also indicate the following. If a suspicious file includes a lot of unique code, it might be a sign of a new malware variant, and that might be used as a strong indicator for detecting sophisticated threats. In such cases, the organization's SOC (Security Operation Center) or IR (Incident Response) team knows to place their focus and resources on these pieces of code, in order to determine their meaning.
  • Embodiments of the present invention enable security teams to reduce the number of files that need to be manually analyzed, enabling them to focus on the harmful, malicious files, prioritizing actual threats over false positives. Moreover, the ability to index specific malware targeting the organization into the genome database, means security professionals can not only ensure immunity for a single incident, but immune the organization against an adversary entirely. In addition, tracking code reuse in malware, forces the attacker to rewrite their tools and assets, making it much harder to conduct cyber-attacks.
  • Embodiments of the present invention enable trusted code to be indexed as well. For example, if proprietary software has code that was never seen before in the genome database, the code can be indexed as trusted. Such code would be visible only to the software's owner.
  • Implementations of the present invention dissect any given executable file (e.g., from disk or memory) into tiny pieces of binary code, referred to as genes, and compare the file's genes to a code genome database containing billions of genes from trusted and malicious software.
  • Therefore, according to the present invention, there is provided for the first time a method for genetic malware analysis and classification using code reuse patterns, the method including the steps of: (a) upon receiving a target binary file, disassembling the target binary file into assembly code; (b) extracting individually-identifiable code fragments from the assembly code; (c) normalizing the individually-identifiable code fragments into target genes by: (i) grouping certain instructions in a given individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in the given individually-identifiable code fragment; and (ii) grouping certain individually-identifiable code fragments into a unique target gene, of the target genes, that forms at most exclusively only one function code for performing a command instruction; (d) collating the target genes into a code genome database; and (e) detecting all files and/or code families in the code genome database containing the target genes from the target binary file, wherein the step of detecting includes prioritizing that false-positive matches between the files and/or the code families of the target binary file and the target genes are not detected, wherein the false-positive matches are exemplified as genericized matches among the target genes which are not related to a shared origin source code.
  • Alternatively, the step of normalizing includes upon detecting a NOP instruction, corresponding to a command for no operation to be performed, removing the NOP instruction from the target genes.
  • Alternatively, the step of normalizing includes upon detecting a MOV instruction in a specific individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein the MOV instruction is listed in the specific individually-identifiable code fragment before a CALL instruction, normalizing the MOV instruction to a PUSH instruction in the target genes.
  • Most alternatively, the MOV instruction is normalized to the PUSH regardless of whether the MOV instruction and the CALL instruction are consecutive instructions.
  • Alternatively, the step of normalizing includes upon detecting a SUB instruction, corresponding to a command for a subtraction operation to be performed, normalizing the SUB instruction to an ADD instruction, corresponding to a command for an addition operation to be performed, in the target genes.
  • Alternatively, the method further includes the step of: (f) determining an accurate designation of the target binary file based on the target genes.
  • Most alternatively, the accurate designation of the target binary file is: (i) malicious based on shared genes in the target genes and the code genome database only found in malicious files; or (ii) benign based on shared genes in the target genes and the code genome database only found in trusted files.
  • Most alternatively, the step of determining includes determining the target binary file is associated with at least one malware file family based on families of files that the target binary file shares shared genes with.
  • Alternatively, the step of normalizing includes normalizing multiple code instructions into a single code instruction.
  • According to the present invention, there is provided for the first time a system for genetic malware analysis and classification using code reuse patterns, the system including: (a) a CPU for performing computational operations; (b) a memory module for storing data; and (c) a disassembly module configured for, upon receiving a target binary file, disassembling the target binary file into assembly code; (d) an extracting module configured for extracting individually-identifiable code fragments from the assembly code; (e) a normalizing module configured for normalizing the individually-identifiable code fragments into target genes by: (i) grouping certain instructions in a given individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in the given individually-identifiable code fragment; and (ii) grouping certain individually-identifiable code fragments into a unique target gene, of the target genes, that forms at most exclusively only one function code for performing a command instruction; (f) a collating module configured for collating the target genes into a code genome database; and (g) a detecting module for detecting all files and/or code families in the code genome database containing the target genes from the target binary file, wherein the detecting includes prioritizing that false-positive matches between the files and/or the code families of the target binary file and the target genes are not detected, wherein the false-positive matches are exemplified as genericized matches among the target genes which are not related to a shared origin source code.
  • Alternatively, the normalizing includes upon detecting a NOP instruction, corresponding to a command for no operation to be performed, removing the NOP instruction from the target genes.
  • Alternatively, the normalizing includes upon detecting a MOV instruction in a specific individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein the MOV instruction is listed in the specific individually-identifiable code fragment before a CALL instruction, normalizing the MOV instruction to a PUSH instruction in the target genes.
  • Most alternatively, the MOV instruction is normalized to the PUSH regardless of whether the MOV instruction and the CALL instruction are consecutive instructions.
  • Alternatively, the normalizing includes upon detecting a SUB instruction, corresponding to a command for a subtraction operation to be performed, normalizing the SUB instruction to an ADD instruction, corresponding to a command for an addition operation to be performed, in the target genes.
  • Alternatively, the system further including: (h) a determining module configured for determining an accurate designation of the target binary file based on the target genes.
  • Most alternatively, the accurate designation of the target binary file is: (i) malicious based on shared genes in the target genes and the code genome database only found in malicious files; or (ii) benign based on shared genes in the target genes and the code genome database only found in trusted files.
  • Most alternatively, the determining includes determining the target binary file is associated with at least one malware file family based on families of files that the target binary file shares shared genes with.
  • Alternatively, the normalizing includes normalizing multiple code instructions into a single code instruction.
  • According to the present invention, there is provided for the first time a non-transitory computer-readable storage medium, having computer-readable code embodied on the non-transitory computer-readable storage medium, for genetic malware analysis and classification using code reuse patterns, the computer-readable code including: (a) program code for, upon receiving a target binary file, disassembling the target binary file into assembly code; (b) program code for extracting individually-identifiable code fragments from the assembly code; (c) program code for normalizing the individually-identifiable code fragments into target genes by: (i) grouping certain instructions in a given individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in the given individually-identifiable code fragment; and (ii) grouping certain individually-identifiable code fragments into a unique target gene, of the target genes, that forms at most exclusively only one function code for performing a command instruction; (d) program code for collating the target genes into a code genome database; and (e) program code for detecting all files and/or code families in the code genome database containing the target genes from the target binary file, wherein the detecting includes prioritizing that false-positive matches between the files and/or the code families of the target binary file and the target genes are not detected, wherein the false-positive matches are exemplified as genericized matches among the target genes which are not related to a shared origin source code.
  • Alternatively, the normalizing includes upon detecting a NOP instruction, corresponding to a command for no operation to be performed, removing the NOP instruction from the target genes.
  • Alternatively, the normalizing includes upon detecting a MOV instruction in a specific individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein the MOV instruction is listed in the specific individually-identifiable code fragment before a CALL instruction, normalizing the MOV instruction to a PUSH instruction in the target genes.
  • Most alternatively, the MOV instruction is normalized to the PUSH regardless of whether the MOV instruction and the CALL instruction are consecutive instructions.
  • Alternatively, the normalizing includes upon detecting a SUB instruction, corresponding to a command for a subtraction operation to be performed, normalizing the SUB instruction to an ADD instruction, corresponding to a command for an addition operation to be performed, in the target genes.
  • Alternatively, the computer-readable code further includes: (f) program code for determining an accurate designation of the target binary file based on the target genes.
  • Most alternatively, the accurate designation of the target binary file is: (i) malicious based on shared genes in the target genes and the code genome database only found in malicious files; or (ii) benign based on shared genes in the target genes and the code genome database only found in trusted files.
  • Most alternatively, the determining includes determining the target binary file is associated with at least one malware file family based on families of files that the target binary file shares shared genes with.
  • Alternatively, the normalizing includes normalizing multiple code instructions into a single code instruction.
  • These and further embodiments will be apparent from the detailed description and examples that follow.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The present invention is herein described, by way of example only, with reference to the accompanying drawings, wherein:
    • Figure 1A is a simplified flowchart of the major process steps for the gene extraction process, according to embodiments of the present invention;
    • Figure 1B is a simplified flowchart of the major process steps for genetic malware analysis and classification, according to embodiments of the present invention;
    • Figure 2A is a simplified flowchart of the major process steps for determining whether a target file is benign or malicious based on code reuse, according to embodiments of the present invention;
    • Figure 2B is a simplified flowchart of the major process steps for classifying a target file to a malware family based on code reuse, according to embodiments of the present invention.
    DESCRIPTION OF THE ILLUSTRATIVE EMBODIMENTS
  • The present invention relates to methods and systems for genetic malware analysis and classification using code reuse patterns. The principles and operation for providing such methods and systems, according to the present invention, may be better understood with reference to the accompanying description and the drawings.
  • Referring to the drawings, Figure 1A is a simplified flowchart of the major process steps for the gene extraction process, according to embodiments of the present invention. The process starts with activation of the gene extraction process upon accessing a target binary file (Step 2). The binary file is then disassembled into assembly code (Step 4). Individually identified code fragments are extracted from the assembly code (Step 6). A normalization process is then performed to produce the genes of assembly code (Step 8). The genes are finally collated in a code genome database (Step 10).
  • The normalization process involves two grouping sub-steps. The first such sub-step involves grouping certain instructions in a given individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in the given individually-identifiable code fragment. The second such sub-step involves grouping certain individually-identifiable code fragments into a unique target gene, of the target genes, that forms at most exclusively only one function code for performing a command instruction.
  • The normalization process is based on rules that can support multiple architectures and instruction sets (e.g., x86, x64, ARM, and ARM64) under different operating systems (Windows, Linux, and Android), and even can be effective for non-native, intermediate languages (e.g., .NET, Java, Python, and Visual Basic). In all embodiments herein, multiple code instructions can be normalized into a single code instruction. Different rules are employed depending on the platform of the target file (i.e., different rules employed for x86, x64, .NET, and Java).
  • Some exemplary normalization rules include the following. The code of the target file may typically include an instruction for no operation to be performed (referred to as a NOP instruction). When a NOP instruction is detected, the system removes the instruction from the normalized code. The code of the target file may typically include a MOV instruction to move values to a register before calling a function. When such a MOV instruction is detected, the system normalizes the instruction to a PUSH instruction in the normalized code.
  • There are many ways for how subroutines receive parameters from their caller, and how they return a result, or call a function (referred to as a "calling convention"). A CALL instruction will jump to the function code and execute it. Such considerations depend on the compilation flags during the process. In order to be flexible, the system detects the genes as identical, even though the assembly is different. In one configuration, in order to send values to a function, the stack is utilized with a PUSH command. In another configuration, a MOV command moves values to registers before calling a function. The system normalizes such MOV commands to PUSH commands.
  • Such normalization involves detecting a MOV instruction in a specific individually-identifiable code fragment, corresponding to a command to move values to a register. When the MOV instruction is listed in the specific individually-identifiable code fragment before a CALL instruction, the MOV instruction is normalized to a PUSH instruction in the target genes.
  • The system also supports situations in which the MOV and CALL commands are not consecutive instructions with additional instructions interspersed between them. In such a case, the MOV command will be normalized to a PUSH command even though the CALL command doesn't immediately follow the MOV command.
  • As another exemplary normalization rule, for some architectures, a SUB instruction (i.e., a subtraction command) is normalized to an ADD instruction (i.e., an addition command). The underlying concept/operation for both commands is the same. In some instances, code reuse is "masked" by such trivial substitutions (i.e., replacing an ADD with a SUB). By applying such a normalization, a broader set of code genes can be categorized and analyzed.
  • The motivation for such normalization is the fact that the same source code can produce different assembly code. Without such normalization rules, similar code fragments which might go undetected because they are not an exact match in a one-to-one code comparison. Such an approach needs to balance being flexible in the rules and finding accurate matches (e.g., non-identical assembly code produced from the same source code) in the code genome database, while not making the rules too generic (e.g., matches between two assembly code fragments which are not related to a shared origin source code).
  • Figure 1B is a simplified flowchart of the major process steps for genetic malware analysis and classification, according to embodiments of the present invention. The process starts when the code of the target binary file is broken into pieces (Step 20), which are then normalized into genes (Step 22). A numeric token is generated for each gene (Step 24). The numeric token is used to identify the gene in the code genome database (Step 26). The gene can then be stored in the code genome database (Step 28), or used to detect all files and/or code families containing the target gene (Step 30). Finally, following Step 30 and/or iterations of the process thereof, the system can determine the accurate designation (e.g., malicious, trusted, or library) of the target file being analyzed based on the total classification of the file's genes (Step 32).
  • As described above with regard to the motivations for such normalization, and included in all embodiments herein, such detecting as in Step 30 involves prioritizing that false-positive matches between the files and/or the code families of the target binary file and the target genes are not detected. Such false-positive matches are exemplified as genericized matches among the target genes which are not related to a shared origin source code.
  • Figure 2A is a simplified flowchart of the major process steps for determining whether a target file is benign or malicious based on code reuse, according to embodiments of the present invention. The process starts with breaking the code of a target binary file into fragments, and normalizing the fragments into genes (Step 40). The numeric tokens are then used to search the code genome database for shared genes (Step 42). The target file is determined to be malicious if it contains shared genes that are only found in malicious files (Step 44). The target file is determined to be benign if it contains shared genes that are only found in trusted files (Step 46).
  • Figure 2B is a simplified flowchart of the major process steps for classifying a target file to a malware family based on code reuse, according to embodiments of the present invention. The process similarly starts with breaking the code of a target binary file into fragments, and normalizing the fragments into genes (Step 50). The numeric tokens are then used to search the code genome database for shared genes (Step 52). The malware file family (or families) to which the target file belongs to is determined based on the families of files that the target file shares shared genes with (Step 54).
  • While the present invention has been described with respect to a limited number of embodiments, it will be appreciated that many variations, modifications, and other applications of the present invention may be made.

Claims (15)

  1. A method for genetic malware analysis and classification using code reuse patterns, the method comprising the steps of:
    (a) upon receiving a target binary file, disassembling said target binary file into assembly code;
    (b) extracting individually-identifiable code fragments from said assembly code;
    (c) normalizing said individually-identifiable code fragments by:
    (i) grouping certain instructions in a given said individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in said given individually-identifiable code fragment; and
    (ii) grouping certain said individually-identifiable code fragments that form at most exclusively only one function code for performing a given instruction, wherein each grouping of said certain individually-identifiable code fragments is designated as a unique target code gene, and wherein a target code gene is defined as a code reuse pattern classification;
    (d) collating said target code genes into a code genome database; and
    (e) detecting all files and/or code families in said code genome database containing said target code genes from said target binary file, wherein said step of detecting includes prioritizing that false-positive matches between said files and/or said code families of said target binary file and said target code genes are not detected, wherein said false-positive matches are exemplified as genericized matches among said target code genes which are not related to a shared origin source code.
  2. The method of claim 1, wherein said step of normalizing includes upon detecting a MOV instruction in a specific said individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein said MOV instruction is listed in said specific individually-identifiable code fragment before a CALL instruction, normalizing said MOV instruction to a PUSH instruction in said target code genes.
  3. The method of any one of claims 1 or 2, the method further comprising the step of:
    (f) determining an accurate designation of said target binary file based on said target code genes.
  4. The method of claim 3, wherein said accurate designation of said target binary file is:
    (i) malicious based on shared code genes in said target code genes and said code genome database only found in malicious files; or
    (ii) benign based on shared code genes in said target code genes and said code genome database only found in trusted files.
  5. The method of any one of claims 1 to 4, wherein said step of normalizing includes normalizing multiple code instructions into a single code instruction.
  6. A system for genetic malware analysis and classification using code reuse patterns, the system comprising:
    (a) a CPU for performing computational operations;
    (b) a memory for storing data;
    (c) a disassembly module configured for, upon receiving a target binary file, disassembling said target binary file into assembly code;
    (d) an extracting module configured for extracting individually-identifiable code fragments from said assembly code;
    (e) a normalizing module configured for normalizing said individually-identifiable code fragments by:
    (i) grouping certain instructions in a given said individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in said given individually-identifiable code fragment; and
    (ii) grouping certain said individually-identifiable code fragments that form at most exclusively only one function code for performing a given instruction, wherein each grouping of said certain individually-identifiable code fragments is designated as a unique target code gene, and wherein a target code gene is defined as a code reuse pattern classification;
    (f) a collating module for collating said target code genes into a code genome database; and
    (g) a detecting module for detecting all files and/or code families in said code genome database containing said target code genes from said target binary file, wherein said detecting includes prioritizing that false-positive matches between said files and/or said code families of said target binary file and said target code genes are not detected, wherein said false-positive matches are exemplified as genericized matches among said target code genes which are not related to a shared origin source code.
  7. The system of claim 6, wherein said normalizing includes upon detecting a MOV instruction in a specific said individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein said MOV instruction is listed in said specific individually-identifiable code fragment before a CALL instruction, normalizing said MOV instruction to a PUSH instruction in said target code genes.
  8. The system of any one of claims 6 or 7, the system further comprising:
    (h) a determining module configured for determining an accurate designation of said target binary file based on said target code genes.
  9. The system of claim 8, wherein said accurate designation of said target binary file is:
    (i) malicious based on shared code genes in said target code genes and said code genome database only found in malicious files; or
    (ii) benign based on shared code genes in said target code genes and said code genome database only found in trusted files.
  10. The system of any one of claims 6 to 9, wherein said normalizing includes normalizing multiple code instructions into a single code instruction.
  11. A non-transitory computer-readable storage medium, having computer-readable code embodied on the non-transitory computer-readable storage medium, for genetic malware analysis and classification using code reuse patterns, the computer-readable code comprising:
    (a) program code for, upon receiving a target binary file, disassembling said target binary file into assembly code;
    (b) program code for extracting individually-identifiable code fragments from said assembly code;
    (c) program code for normalizing said individually-identifiable code fragments by:
    (i) grouping certain instructions in a given said individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in said given individually-identifiable code fragment; and
    (ii) grouping certain said individually-identifiable code fragments that form at most exclusively only one function code for performing a given instruction, wherein each grouping of said certain individually-identifiable code fragments is designated as a unique target code gene, and wherein a target code gene is defined as a code reuse pattern classification;
    (d) program code for collating said target code genes into a code genome database; and
    (e) program code for detecting all files and/or code families in said code genome database containing said target code genes from said target binary file, wherein said detecting includes prioritizing that false-positive matches between said files and/or said code families of said target binary file and said target code genes are not detected, wherein said false-positive matches are exemplified as genericized matches among said target code genes which are not related to a shared origin source code.
  12. The non-transitory computer-readable storage medium of claim 11, wherein said normalizing includes upon detecting a MOV instruction in a specific said individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein said MOV instruction is listed in said specific individually-identifiable code fragment before a CALL instruction, normalizing said MOV instruction to a PUSH instruction in said target code genes.
  13. The non-transitory computer-readable storage medium of any one of claims 11 or 12, the computer-readable code further comprising:
    (f) program code for determining an accurate designation of said target binary file based on said target code genes.
  14. The non-transitory computer-readable storage medium of claim 13, wherein said accurate designation of said target binary file is:
    (i) malicious based on shared code genes in said target code genes and said code genome database only found in malicious files; or
    (ii) benign based on shared code genes in said target code genes and said code genome database only found in trusted files.
  15. The non-transitory computer-readable storage medium of any one of claims 11 to 14, wherein said normalizing includes normalizing multiple code instructions into a single code instruction.
EP20199874.7A 2019-10-04 2020-10-02 Methods and systems for genetic malware analysis and classification using code reuse patterns Active EP3800570B1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US16/592,791 US10824722B1 (en) 2019-10-04 2019-10-04 Methods and systems for genetic malware analysis and classification using code reuse patterns

Publications (3)

Publication Number Publication Date
EP3800570A1 EP3800570A1 (en) 2021-04-07
EP3800570C0 EP3800570C0 (en) 2023-06-07
EP3800570B1 true EP3800570B1 (en) 2023-06-07

Family

ID=72744664

Family Applications (1)

Application Number Title Priority Date Filing Date
EP20199874.7A Active EP3800570B1 (en) 2019-10-04 2020-10-02 Methods and systems for genetic malware analysis and classification using code reuse patterns

Country Status (2)

Country Link
US (1) US10824722B1 (en)
EP (1) EP3800570B1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3850517A4 (en) 2018-09-15 2022-06-01 Quantum Star Technologies Inc. Bit-level data generation and artificial intelligence techniques and architectures for data protection
KR102308477B1 (en) * 2020-12-07 2021-10-06 주식회사 샌즈랩 Method for Generating Information of Malware Which Describes the Attack Charateristics of the Malware

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8312545B2 (en) * 2006-04-06 2012-11-13 Juniper Networks, Inc. Non-signature malware detection system and method for mobile platforms
US20090313700A1 (en) * 2008-06-11 2009-12-17 Jefferson Horne Method and system for generating malware definitions using a comparison of normalized assembly code
US9003529B2 (en) * 2012-08-29 2015-04-07 The Johns Hopkins University Apparatus and method for identifying related code variants in binaries
US20150186649A1 (en) * 2013-12-31 2015-07-02 Cincinnati Bell, Inc. Function Fingerprinting
US10043009B2 (en) * 2014-09-24 2018-08-07 Intel Corporation Technologies for software basic block similarity analysis
CN107615240B (en) * 2015-04-17 2021-11-02 巴特尔纪念研究所 Biological sequence based scheme for analyzing binary files

Also Published As

Publication number Publication date
US10824722B1 (en) 2020-11-03
EP3800570C0 (en) 2023-06-07
EP3800570A1 (en) 2021-04-07

Similar Documents

Publication Publication Date Title
Alazab Profiling and classifying the behavior of malicious codes
Chumachenko Machine learning methods for malware detection and classification
US9553889B1 (en) System and method of detecting malicious files on mobile devices
JP5326062B1 (en) Non-executable file inspection apparatus and method
JP5265061B1 (en) Malicious file inspection apparatus and method
US8261344B2 (en) Method and system for classification of software using characteristics and combinations of such characteristics
Vemparala et al. Malware detection using dynamic birthmarks
KR101230271B1 (en) System and method for detecting malicious code
Sihag et al. BLADE: Robust malware detection against obfuscation in android
KR101851233B1 (en) Apparatus and method for detection of malicious threats included in file, recording medium thereof
Zakeri et al. A static heuristic approach to detecting malware targets
Siddiqui Data mining methods for malware detection
Martinelli et al. I find your behavior disturbing: Static and dynamic app behavioral analysis for detection of android malware
EP3800570B1 (en) Methods and systems for genetic malware analysis and classification using code reuse patterns
Poudyal et al. Analysis of crypto-ransomware using ML-based multi-level profiling
Sun et al. An opcode sequences analysis method for unknown malware detection
Mishra Methods of Virus detection and their limitations
O'Kane et al. N-gram density based malware detection
Raymond et al. Investigation of Android Malware with Machine Learning Classifiers using Enhanced PCA Algorithm.
EP3113065B1 (en) System and method of detecting malicious files on mobile devices
Mahawer et al. Metamorphic malware detection using base malware identification approach
Chowdhury et al. Malware detection for healthcare data security
Albishry et al. An attribute extraction for automated malware attack classification and detection using soft computing techniques
Bernardi et al. Data-aware process discovery for malware detection: an empirical study
Bashari Rad et al. Morphed virus family classification based on opcodes statistical feature using decision tree

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20210412

RBV Designated contracting states (corrected)

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

RIC1 Information provided on ipc code assigned before grant

Ipc: G06F 21/56 20130101AFI20220711BHEP

INTG Intention to grant announced

Effective date: 20220817

GRAJ Information related to disapproval of communication of intention to grant by the applicant or resumption of examination proceedings by the epo deleted

Free format text: ORIGINAL CODE: EPIDOSDIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

INTC Intention to grant announced (deleted)
INTG Intention to grant announced

Effective date: 20230113

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

Ref country code: AT

Ref legal event code: REF

Ref document number: 1577168

Country of ref document: AT

Kind code of ref document: T

Effective date: 20230615

Ref country code: DE

Ref legal event code: R096

Ref document number: 602020011723

Country of ref document: DE

U01 Request for unitary effect filed

Effective date: 20230607

U07 Unitary effect registered

Designated state(s): AT BE BG DE DK EE FI FR IT LT LU LV MT NL PT SE SI

Effective date: 20230619

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG9D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230907

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230607

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230607

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230607

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230908

U20 Renewal fee paid [unitary effect]

Year of fee payment: 4

Effective date: 20231027

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230607

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20231007

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230607

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230607

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230607

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20231007

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230607

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230607

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT